Videos

With WannaCry barely in the rear view mirror, ransomware was back in the spotlight with a new malware dubbed NotPetya. We can expect to see new ransomware strains as advanced attackers continue to evolve their tactics, and the ramifications on business will be significant if proactive measures are not taken. In previously posts, we’ve deconstructed ransomware and offered mitigation tips. To protect your organization, it’s important to be informed and have baseline knowledge.

Here are five things to know about ransomware:

What is ransomware? Ransomware is a type of malicious software, or malware, that denies access to files and data until a ransom is paid. There are two distinct types of ransomware. The most common is crypto ransomware, which encrypts sensitive data and files until a ransom is paid. The other type, locker ransomware, locks a device, completely preventing the victim from using it. In most cases, ransomware encrypts personal files, blocking users from accessing them. Victims are given instructions on how to pay the requested ransom, and only after doing so, are they given a decryption tool that will unlock the files.

How does ransomware encryption work? A well-designed ransomware strain will typically use an asymmetric encryption algorithm, which leverages a pair of keys – one public and one private. The data that is encrypted with the public key can only be unlocked by this matching private key and vice versa.

How do victims pay cyber ransoms? Ransoms are typically paid in the cryptocurrency Bitcoin due to its anonymity and difficulty to trace.

How much is a typical ransom? Requested ransom amounts can vary wildly. In the WannaCry attacks, victims were asked to pay between $300 to $600 via BitCoin to have their files unlocked. This may not seem like much, but it’s important to consider the other, more severe, costs resulting from such attacks due to downtime caused by lack of access to systems. Shockingly, it was recently reported that South Korean web hosting provider paid $1 million in bitcoins to hackers after a Linux ransomware infected its servers and encrypted the websites data hosted on them. A big jump from the amount the Hollywood Presbyterian Medical Center reportedly paid last year.

How do I mitigate risk? Ransomware prevention measures can seem particularly daunting as administrator rights are not always required for some of today’s advanced strains of malware to compromise an end users’ machine and infect the endpoint. This means that while privilege management can play a role in mitigating risks, many strains of ransomware can encrypt data using standard user rights. So even if an organization has removed local administrator rights, this doesn’t necessarily mitigate the risk. However, testing at CyberArk Labs demonstrated that application control, including greylisting, coupled with the removal of local administrator rights, was 100 percent effective in preventing ransomware from encrypting files.

In this CyberArk Customer Spotlight video, we speak with Laura Melton, Senior Information Technology Associate at Texas A&M University College of Architecture, about the importance of removing local administrator rights to strengthen endpoint security.

By deploying CyberArk Endpoint Privilege Manager, the university has reduced privileges and minimized risks of information being stolen or encrypted by ransomware – all without impacting user and helpdesk productivity. With the CyberArk solution, a combination of least privilege security and application control reduces the risk of malware infection. Unknown applications run in a restricted mode to contain threats and behavioral analysis blocks credential theft attempts, while giving IT administrators enhanced visibility.

Discovery is the first step to establish effective privileged account security. In our experience and research, organizations typically have at least 3 to 4 times more privileged accounts than employees. This data point gives organizations an idea of what to expect in terms of scope of the project, but each environment is different and the actual numbers vary and can be significantly more. To help organizations discover how many privileged accounts they have and where they exist, CyberArk offers a free Discovery & Audit tool. With this risk assessment tool, organizations gain visibility into privileged account vulnerabilities across the IT network.

Password hashes – Passwords are frequently hashed and stored on local machines for user convenience by the operating system, but attacks such as Pass-the-Hash leverage these vulnerable password hashes in order to execute a credential theft attack, impersonate employees, and access valuable assets and data. CyberArk Discovery & Audit illustrates which machines store privileged passwords and how an attacker can execute a Pass-the-Hash and Golden Ticket attack.

SSH keys – Stored throughout a network, SSH keys pose a major challenge to security teams because these privileged credentials can be easily created without a record, and they are difficult to track, manage or control. CyberArk Discovery & Audit identifies SSH keys (including orphan SSH keys) and illustrates trust relationships that enable access to privileged accounts.

Unix security risks – Organizations frequently use sudo (superuser do) to enforce least privilege policies, yet they don’t realize that many sudoer files unknowingly contain misconfigurations that enable privileged users to work around sudo in order to escalate their privileges. It’s particularly critical to protect Unix environments because they often host an organization’s most sensitive data. CyberArk Discovery & Audit discovers potential misconfigurations that could allow users to elevate privileges in Unix without authorization.

An organization’s privileged account attack surface is typically massive as it includes every piece of hardware and software in the enterprise including routers, firewalls, databases, servers, applications, endpoints, etc. With potential vulnerabilities hiding in every corner of the IT infrastructure, it’s vital to gain visibility of the attack surface. A good start is to find and identify privileged accounts across the organization – which is exactly what CyberArk Discovery and Audit is designed to do.

With knowledge of how many privileged accounts exist, and the status of each privileged credential, organizations can begin a privileged account security program by securing the highest risk accounts with a centralized solution. As organizations implement security controls, they can measure progress with metrics on privileged account security health. These milestones help to justify privileged account security programs by proving tangible ROI measures, which are also an effective way to engage with stakeholders. We encourage you to learn more about this valuable tool.

Research shows that most advanced attacks today start with phishing or spam emails sent to non-privileged business users. These phishing attacks often utilize ransomware – a form of sophisticated malware that blocks access to sensitive files by encrypting them and demands payment in order for the user to access the files again. According to a recent research highlighted in a CSO article, 93 percent of all phishing emails contained encryption ransomware as of March 2016 data.

Ransomware is on the rise, and attackers increasingly use this approach to target enterprise organizations. Ransomware can be particularly challenging to combat, as once inside the network, it can compromise machines, steal data, capture credentials or damage systems all without using any administrative privileges. If an organization has removed users’ administrative rights on endpoints and servers but is not monitoring and controlling which applications are allowed to run on these machines, a rogue application containing ransomware, which does not require administrative privileges to run, can enter the infrastructure and execute in the environment. This gives attackers a foothold into the organization.

In the short video below, Jessica Stanford, CyberArk’s Senior Product Marketing Manager, shares best practices for mitigating the risk of ransomware, from employing defense-in-depth and regularly backing up files to applying a combination of least privilege and application control.

In another article, Jessica noted research the CyberArk Labs team conducted to test how CyberArk Viewfinity protects against known and unknown variants of ransomware. The team manually tested 450 specific ransomware samples from 14 different crypto families (including Cryptolocker, Petya, and Locky) – focusing on the most common and notorious ransomware strings. CyberArk Viewfinity was able to block 100% of the ransomware samples from successfully encrypting files.

As attackers become more adept in circumventing defenses, organizations are increasingly vulnerable to ransomware and other types of sophisticated malware. To learn more about how to strike the right balance between security and usability to effectively reduce the attack surface while keeping users productive, please visit www.CyberArk.com/Viewfinity.

Today, enterprise IT security teams increasingly recognize that compliance does not equal security. Taking a compliance or project approach is not enough to secure a business. Although important, compliance is table stakes in the world of advanced, persistent threats. The sophistication of attackers continues to increase, and they now operate inside of networks – stealing credentials and escalating privileges to reach a goal.

Security requires much more than a “following the auditor” mentality – it requires a holistic program. A great example of this mantra can be found in a recent Computerworld article written by a security manager whose name and company were disguised for obvious reasons. The author discusses the need for his organization to meet requirements for a tougher certification of its credit card-handling practices. Along the way, he was able to prove compliance, but he also discovered the requirements weren’t enough to protect the organization from security risks. He planned to make additional changes as a result.

Used as an attack vector in virtually every advanced targeted attack, it’s widely recognized that unprotected privileged accounts and credentials present critical risks to enterprises. It has become clear that in order to truly protect an organization’s data – and business – from devastating breaches, these privileged accounts and credentials must be secured and managed in order to limit the damage of an attack, to stop lateral movement and to avoid complete network takeovers.

In a short video, CyberArk CMO John Worrall explains that organizations increasingly view privileged account security as a strategic priority – and launch programs not tactical projects. Today, many C-level security professionals have enterprise-wide mandates to address what is now widely viewed as a horizontal risk. Businesses must adapt – add a new layer of security inside the network to secure the IT systems. Businesses run on IT, so the stakes are high if trust is not established and maintained. Watch the video.